GDPR Compliance, Security and Access Control

Regulatory Compliance is always a worry for enterprises, but the General Data Protection Regulation (GDPR) has raised the anxiety level. With other compliance regimes like PCI compliance, you can hire an auditor to ensure you’re doing what the law requires.

But with GDPR, there’s no equivalent yet. There are companies offering guidance, but until the guidelines are actually enforced, it’s difficult to see which interpretation of the guidelines will become reality — you just have to hope your GDPR team understands how the regulators are thinking, and what priorities they are setting. And when the law goes into effect on May 25th, 2018, you will face extremely complex regulations and potentially huge fines. With the stakes so high, it’s crucial to show the regulators you’re doing everything you can to protect personal information from day one. You can’t do that if lax or broken access control policies are putting your users or customers at risk.

GDPR Compliance and Access Control Policy

GDPR is primarily a data management issue. The point of the law is to give EU citizens control of how their personal data is used, and ensure that organizations are handling and protecting that data properly. Some aspects of GDPR, such as the right to be forgotten, lie outside security and access control — they require complex changes in how personal data flows through your organization, and new mechanisms to allow EU citizens to request deletion.

However, the GDPR has strict requirements around preventing both malicious and accidental disclosure, and meeting those requirements demands strong security and an airtight access control policy. Access control decreases the attack surface, complementing your security efforts. When fewer people have access to sensitive data, there’s less risk of a compromised or malicious account disclosing or misusing protected data. And if an attacker manages to compromise an account, access control limits how much damage they can do.

The problem is that most SAP users have very little visibility into their access control measures, which can lead them to miss extremely serious vulnerabilities.

SAP Authorization Model and Display Roles

SAP access control is complicated, and it’s easy to introduce hidden risks into your system — for example, by failing to correctly lock down a display role. A display role is created as a master templates for a particular job, giving the users the authorizations that job requires. For example, a marketing executive might be authorized to see purchasing trends, but not personal data about individual customers.

When the display role is assigned to a particular user, those access restrictions are supposed to be locked down, so the user can’t change them. However, because of the complexity of the SAP authorization model, companies often fail to properly lock display roles. A knowledgeable user (or a hacker who has broken into their account) could actually change the settings to give themselves access they shouldn’t have, in order to steal, leak or vandalize data, creating a major compliance risk.

ControlPanelGRC: the Monitoring and Access Control You Need Now

ControlPanelGRC shines a light on SAP system health, providing powerful remediation on a timetable that supports GDPR compliance. We can stand up Segregation of Duties (SoD) monitoring in less than two days, allowing you to spot access control issues that pose GDPR risks almost immediately. We’ll follow that with robust remediation tools, so you can enter the GDPR era, confident in your ability to protect user data. And with continuous monitoring, combined with extremely granular control, you’ll be able to reduce risks, audit after audit and year after year.

Steve Lofthouse is a Solutions Architect on Symmetry’s EMEA team bringing 14 years of SAP cloud and managed service experience. He’s dealt with solutions coming from multiple perspectives in his experience including but not limited to: pre-sales, technical consultant, support and end user. With this experience, Steve is able to deliver all required components needed for almost any situation with a sound understanding, resulting in effective managed cloud environments for various enterprise solutions.